getting started with continuous auditing and continuous ......review of iia guidance continuous...

+

Getting Started with Continuous Auditing and Continuous Monitoring

Prepared for Detroit IIA Chapter February 8, 2011

Session Objectives

  Reviewing the “what and why” of Data Analysis and Continuous Auditing

  IIA Guidance (Global Technology Audit Guide #3)

  Internal Audit Utopia – what might it look like? How far away is it? Why?

  Maturity Model approach. People, Process, Governance, and Technology

  Visual Risk IQ’s QuickStart Methodology – ways to get started

  Exercises / Examples

  Q&A

2

Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved

How do today’s economic conditions affect the auditing profession?

  Lowering Earnings Guidance

  Continued SG&A expense control initiatives

  Staff reductions

  Hiring (salary, travel) freezes in the Company

  Bigger audit staffs / bigger audit budgets?

3

•  Think about the Fraud Triangle

•  Financial Pressure, even Rationalization are increasing

•  What is the Audit Profession doing about Opportunity


Headlines / Fraud in the News 4


Review of IIA Guidance

  Continuous Auditing   Method used to perform audit-related activities on a

continuous basis. Includes control and risk assessment

  Activities performed by the Internal Audit function

  Continuous Monitoring   Process to ensure policies / processes are operating

effectively and to assess adequacy of controls

  Performed by Operational / Financial Management; audit independently evaluates the

  Continuous Assurance   Combination of Continuous Auditing and Audit Oversight of Continuous

Monitoring Activities

  CAATs (Computer Assisted Audit Techniques)   Using data analysis in executing audit programs

5


Relationship between Continuous Auditing and Continuous Monitoring

  Role of continuous auditing is dependent on Management’s role in continuous monitoring   Inverse relationship between

management and audit activities

  True continuous assurance   Depends on effective monitoring of

internal controls by management

  And on Audit’s independent assessment of that function

  Where is your management team?

  How is Internal Audit helping?

6


Evolution from CAATs to CA to CM 7


CAATs Continuous

Auditing Continuous Monitoring

Internal Audit

• Greater coverage than sampling

• Deep coverage from automated testing

• Core competency of internal audit

• Created on demand, reuse is considered

• Repetitive/on-going; frequent intervals

• Not based on audit project timeline

• More in-depth automated testing

• Centralized process requires cross-audit-program focus

• Monitoring controls, responsibility of business process owners

• Periodically reviewed by IA

•  Includes both transaction and controls monitoring

Business

Continuous Auditing has been a hot topic for 5++ years. But what is continuous, really?

8


Continuous auditing and continuous monitoring become “right time” when the timing and frequency of evaluation matches business requirements. What frequency is right for your revenue transactions? Supply chain?

Continuous auditing / continuous monitoring programs

Today’s continuous auditing frequency

** Source: 2009 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2009

What might Audit “Utopia” look like? How far away are we? "

9

Corporate Data

Enterprise Audit Projects

Risk Assessment

Planning &

Scoping

Execution

Planning &

Scoping

Execution

Planning Planning &

Scoping

Execution

Reporting Reporting


Implementing continuous auditing across your audit methodology is not about technology

10


Risk Assessment Audit Plan Stakeholder

Reporting Enterprise

Audit Projects

Project plan

Project execution

Project Reporting

Technology

Technology

…it’s about a model that acknowledges the impact of People, Audit Process, and Governance

11


Risk Assessment Audit Plan Stakeholder

Reporting Enterprise

Audit Projects

Project plan

Project execution

Project Reporting

People Technology Governance Audit process

People Technology Governance Audit process

We advocate that risk assessment should be the centerpiece of the audit process

12


Enterprise Audit Projects

Risk Assessment

Planning Planning &

Scoping

Execution

Reporting

Reporting

Our Continuous Auditing Maturity Model was published in 2009 in WG&L’s Internal Auditing

13


Basic practices Repeatable CAATs Frequent CAATs Continuous auditing

People

Staff has some basic data literacy. Knows how to ask IT for digital information

Some IT- and data-specific specialists are accessible, either in-house or as consultants

Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people

No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance, operations, and Enterprise Risk Management (ERM)

Technology

Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT

Some re-usable scripts exist and are used on-demand for relevant audit projects. Prevalent use of CAAT tools like IDEA and/or ACL

ACL and IDEA scripts are stored, scheduled, and run at appropriate intervals in support of audit projects

Continuous auditing and monitoring technologies contribute to all audit steps at project and department level

Governance

Business is reactive to requests from Internal Audit and usually helps in a timely way

Audit department can and does access enterprise data directly at the source

IT consults with IA prior to making system changes that are known to affect IA.

Data driven early warning / risk alerts include both business and controls / audit implications.

Audit methodology

Risk assessments are conducted annually

Updates to risk assessments are conducted more frequently than annually

Risk assessments are scheduled at regular intervals and updated based on internal and external data points.

Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted

Moving up the Maturity Curve is best accomplished in simple, deliberate steps

14


Basic practices Repeatable CAATs Frequent CAATs Continuous auditing

People

Staff has some basic data literacy. Knows how to ask IT for digital information

Some IT- and data-specific specialists are accessible, either in-house or as consultants

Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people

No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance, operations, and Enterprise Risk Management (ERM)

Technology

Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT

Some re-usable scripts exist and are used on-demand for relevant audit projects. Prevalent use of CAAT tools like IDEA and/or ACL

ACL and IDEA scripts are stored, scheduled, and run at appropriate intervals in support of audit projects

Continuous auditing and monitoring technologies contribute to all audit steps at project and department level

Governance

Business is reactive to requests from Internal Audit and usually helps in a timely way

Audit department can and does access enterprise data directly at the source

IT consults with IA prior to making system changes that are known to affect IA.

Data driven early warning / risk alerts include both business and controls / audit implications.

Audit methodology

Risk assessments are conducted annually

Updates to risk assessments are conducted more frequently than annually

Risk assessments are scheduled at regular intervals and updated based on internal and external data points.

Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted

Questions and Dinner Break 15


Brainstorm

•  Review Audit Objectives

•  Explore Internal Data Sources

•  Compare vs External Data Sources

•  Consider with other Audit Tests

•  Use Trending and Exception Queries

Brainstorm

Acquire and Map

Data

Write Queries

Analyze and

Report

Refine and Sustain

QuickStartsm Methodology Brainstorming

16


Brainstorming Exercise P-Card Audit   Assumptions:

  Data acquisition is easy and free. Any interesting data file, whether internal or external, can easily be made available on our audit department server (PC, USB Drive, etc.)

  Programming resources are plentiful and affordable. Most any query that the team brainstorms can be developed at a reasonable cost.

  There is sufficient time in the audit between planning and fieldwork, such that the queries can be developed, tested, and executed.

  So….   What data sources would you like to have for an audit of …. Purchasing Card?

  What audit objectives do you have?

  And what interesting queries would you want to write?

17


QuickStartsm Methodology Acquire and Map Data

18

Acquire and Map Data

•  Identify specific sources

•  Explore direct vs. flat file access

•  Submit written data request, including control totals

•  Tie out record counts and control totals

•  Trace control totals back to ledger or other source systems

Brainstorm

Acquire and Map

Data

Write Queries

Analyze and

Report

Refine and Sustain


QuickStartsm Methodology Refine and Sustain

19

Refine and Sustain

•  After-Action Review

•  Re-use Queries for Follow-up Tests

•  Re-use Queries for Risk Assessment

•  Transition Queries to Management

Brainstorm

Acquire and Map

Data

Write Queries

Analyze and

Report

Refine and Sustain


Refine and Sustain Examples

  After Action Review

  Consider timing of key audit tasks

  What should we do earlier?

  What could we do later?

  Who else should we involve? Why?

20


Start Stop Continue

Wrap-up Thoughts

  Assess where your audit team is on the Maturity Curve. Where do you want to be? Find a small win opportunity and get started.

  Begin with more frequent risk assessment. What questions should we ask each quarter to tell us whether our risk assessment is still on target?

  Identify an audit where you can be data-driven in your analysis. What questions do you want to answer? How does management know?

  Identify management reports that audit can use to validate financial or operational performance? Would accessing the data sources directly answer other questions?

  Challenge your teams to be the R&D lab for innovation in continuous monitoring and data analysis

21


For Additional Information 22

“And will you succeed?

Yes! You will, indeed!

98 and 3/4% guaranteed**”

So Follow, Friend, Connect with us at:

www.twitter.com/VisualRiskIQ

http://ContinuousAuditing.BlogSpot.com

www.Linkedin.com/in/JoeOringel

[email protected]

704-353-7000 (office)

704-752-6403 (mobile)

getting started with continuous auditing and continuous ......review of iia guidance continuous...

Documents